Login Feature: Invalid JWToken crashes backend

UniversityOfSaskatchewanCMPT371 / term-project-2024-team-4

Apache License 2.0

2 stars 2 forks source link

Login Feature: Invalid JWToken crashes backend #92

Closed lecegues closed 6 months ago

lecegues commented 6 months ago

Description

After a server restart, any existing sessions (cookie token) is not handled gracefully-- will shut down the whole backend if it is read by the system.

What could be the problem?

I believe it could be due to cookie session management? I think that the generated tokens are forgotten upon restart of the server. I do not know fully why the server crashes though, as invalid tokens seem to be handled properly in the code.

Steps to Reproduce (Local & Dockerized)

Start Frontend and Backend
Login with correct credentials and stay logged in (do not log out)
Restart the frontend & backend services
Once frontend/backend starts back up, using the same browser go to the website
The backend service should crash upon noticing the cookie token

Screenshots

error

lecegues commented 6 months ago

Update

After taking a closer look, this seems to be a problem with the way the JWTSecret is generated. Previously the JWTSecret was exposed in the code, so it was changed to dynamically generate every time the server starts. But, this causes all the tokens that were signed by the JWTSecret to be invalid once a new one is generated upon the server restart.

Solution??

I believe a constant JWTSecret will fix this; however, I am unsure as to how to store it. From the top of my head, I think that locally, the JWTSecret can be stored using .env files, GitHub Secrets for storing in the repository, and i am unsure about how to store it for Docker.

Where is the Problem?

/backend/routes/users.js line 11-17: code that generates a JWTSecret

lecegues commented 6 months ago

Update

After taking a closer look, this seems to be a problem with the way the JWTSecret is generated. Previously the JWTSecret was exposed in the code, so it was changed to dynamically generate every time the server starts. But, this causes all the tokens that were signed by the JWTSecret to be invalid once a new one is generated upon the server restart.

Solution??

I believe a constant JWTSecret will fix this; however, I am unsure as to how to store it. From the top of my head, I think that locally, the JWTSecret can be stored using .env files, GitHub Secrets for storing in the repository, and i am unsure about how to store it for Docker.

Where is the Problem?

/backend/routes/users.js line 11-17: code that generates a JWTSecret

After testing the same issue with a constant JWT_SECRET value, the bug does not happen anymore. I think this confirms that I'm on the right track